VPNFilter Malware – Router botnet

A huge botnet consisting of at least 500,000 compromised routers and network-attached storage (NAS) devices has been detected by security researchers. The malware is known as VPNFilter and is largely targeting small office / home routers and network-attached storage (NAS) devices.

VPNFilter is malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. When the malware is installed, it will consist of three different stages, with each stage performing specific functions.

Different stages of VPNFilter malware

Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.

Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functionality such as sniff the network, monitor communication, and to communicate over TOR (Tor is free software for enabling anonymous communication).

Routers that are known to be affected by VPNFilter

According to reports from Cisco, Symantec, and the Security Service of Ukraine, the affected routers are:

Linksys E1200

Linksys E2500

LinkSys WRVS4400N

Mikrotik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072

Netgear DGN2200

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

QNAP TS251

QNAP TS439 Pro

Other QNAP NAS devices running QTS software;

TP-Link R600VPN

While the above are the currently known routers that can be infected with VPNFilter, there is no guarantee that they are the only ones. Therefore, everyone should follow the below recommendations to harden and secure their routers regardless of the make and manufacturer.

If you own an affected device, what should you do?

1. Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

2. You should also return the router or NAS device to its factory settings. This is typically done by pressing and holding a reset switching while turning the device on and off again. Before you begin, search for and save any instructions and user/internet credentials that you may need to get the router connected again so you have them on hand.

3. You should also check with the manufacturer’s website for the latest firmware update.

4. Change your password and make sure you’re not using an easy-to-crack or factory default password.

5. Ensure that remote management is turned off on your router and NAS device.

Should you reset your router even if its not one of the listed ones?

This is a tough one. On one hand, its always better to be safe than sorry. On the other, for some it can be very difficult to configure a router from scratch.

With that said, We do suggest that you follow these steps above as it’s only beneficial to having your router running the latest firmware and the other steps only further protect your device.